Questo contenuto non è disponibile nella lingua selezionata.

Chapter 2. Upgrading using Helm charts


You must follow a specific upgrade path for RHACS depending on the release of RHACS that you are running. You must also back up your Central database before updating the Helm chart and performing the upgrade.

2.1. Upgrade sequence from RHACS release 3.74 and earlier

When upgrading from earlier releases, follow this guidance:

  • If the release for Central is earlier than 3.74, you must upgrade to the latest 3.74 patch before upgrading to a 4.x release. See the upgrade documentation for version 3.74 for information about upgrades from earlier versions to 3.74.
  • To upgrade to release 4.5 or later from release 3.74, you must first upgrade to any latest patch of RHACS version 4.0 through 4.4. Then you can upgrade to release 4.5 or later.

If you have installed RHACS by using Helm charts, to upgrade to the latest version of RHACS perform the following steps:

  1. Back up the Central database.
  2. Optionally, optimize Central’s database and Persistent Volume Claims (PVC).
  3. Optionally, generate a values-private.yaml configuration file containing root certificates for the central-services Helm chart.
  4. Update the Helm chart.
  5. Run the helm upgrade command.
Important

To ensure optimal functionality, use the same version for your secured-cluster-services Helm chart and central-services Helm chart.

2.2. Backing up the Central database

You can back up the Central database and use that backup for rolling back from a failed upgrade or data restoration in the case of an infrastructure disaster.

Prerequisites

  • You must have an API token with read permission for all resources of Red Hat Advanced Cluster Security for Kubernetes. The Analyst system role has read permissions for all resources.
  • You have installed the roxctl CLI.
  • You have configured the ROX_API_TOKEN and the ROX_CENTRAL_ADDRESS environment variables.

Procedure

  • Run the backup command:

    $ roxctl -e "$ROX_CENTRAL_ADDRESS" central backup

2.3. Optimizing Central database and PVC

When you upgrade to Red Hat Advanced Cluster Security for Kubernetes (RHACS) 4.0, RHACS creates a PostgreSQL instance called central-db with a default Persistent Volume Claims (PVC). Optionally, you can customize central-db or PVC configuration.

Red Hat recommends the following minimum memory and CPU requests:

central:
  db:
    resources:
      requests:
        memory: 16Gi
        cpu: 8
      limits:
        memory: 16Gi
        cpu: 8

2.4. Generating root certificates file

If you do not have access to your values-private.yaml configuration file that you have used to install Red Hat Advanced Cluster Security for Kubernetes (RHACS), use the following instruction to generate the values-private.yaml configuration file containing root certificates.

Skip the instruction here, if you have access to your values-private.yaml configuration file.

Important

The generated values-private.yaml file has sensitive configuration options. Ensure that you store this file securely.

Procedure

  1. Download the create_certificate_values_file.sh script.
  2. Make the create_certificate_values_file.sh script executable:

    $ chmod +x create_certificate_values_file.sh
  3. Run the create_certificate_values_file.sh script file:

    $ create_certificate_values_file.sh values-private.yaml

2.5. Updating the Helm chart repository

You must always update Helm charts before upgrading to a new version of Red Hat Advanced Cluster Security for Kubernetes.

Prerequisites

  • You must have already added the Red Hat Advanced Cluster Security for Kubernetes Helm chart repository.
  • You must be using Helm version 3.8.3 or newer.

Procedure

  • Update Red Hat Advanced Cluster Security for Kubernetes charts repository.

    $ helm repo update

Verification

  • Run the following command to verify the added chart repository:

    $ helm search repo -l rhacs/

2.6. Additional resources

2.7. Running the Helm upgrade command

You can use the helm upgrade command to update Red Hat Advanced Cluster Security for Kubernetes (RHACS).

Prerequisites

  • You must have access to the values-private.yaml configuration file that you have used to install Red Hat Advanced Cluster Security for Kubernetes (RHACS). Otherwise, you must generate the values-private.yaml configuration file containing root certificates before proceeding with these commands.

Procedure

  • Run the helm upgrade command and specify the configuration files by using the -f option:

    $ helm upgrade -n stackrox stackrox-central-services \
      rhacs/central-services --version <current-rhacs-version> \1
      -f values-private.yaml \
      --set central.db.password.generate=true \
      --set central.db.serviceTLS.generate=true \
      --set central.db.persistence.persistentVolumeClaim.createClaim=true
    1
    Use the -f option to specify the paths for your YAML configuration files.
    $ helm upgrade -n stackrox stackrox-secured-cluster-services \
      rhacs/secured-cluster-services --version <current-rhacs-version> \1
      -f values-private.yaml
    1
    Use the -f option to specify the paths for your YAML configuration files.
Note

You might use the --reuse-values option to preserve the previously configured Helm values during the upgrade. If you do that, you must turn off central-db creation before you upgrade to the next version.

See the following command example:

$ helm upgrade -n stackrox stackrox-central-services \
  rhacs/central-services --version <current-rhacs-version> --reuse-values \
  -f values-private.yaml \
  --set central.db.password.generate=false \
  --set central.db.serviceTLS.generate=false \
  --set central.db.persistence.persistentVolumeClaim.createClaim=false

2.8. Removing Central-attached PV after upgrading to version 4.1 and later

Kubernetes and OpenShift Container Platform do not delete persistent volumes (PV) automatically. When you upgrade RHACS from earlier versions, the Central PV called stackrox-db remains mounted. However, in RHACS 4.1, Central does not need the previously attached PV anymore.

The PV has data and persistent files used by earlier RHACS versions. You can use the PV to roll back to an earlier version before RHACS 4.1. Or, if you have a large RocksDB backup bundle for Central, you can use the PV to restore that data.

After you complete the upgrade to 4.1, you can remove the Central-attached persistent volume claim (PVC) to free up the storage. Only remove the PVC if you do not plan to roll back or restore from earlier RocksDB backups.

Warning

After removing PVC, you cannot roll back Central to an earlier version before RHACS 4.1 or restore large RocksDB backups created with RocksDB.

2.8.1. Removing Central-attached PV using Helm

Remove the Central-attached persistent volume claim (PVC) stackrox-db to free up storage space.

Procedure

  • Run the following command:

    $ helm upgrade -n stackrox stackrox-central-services \
        rhacs/central-services --version <current-rhacs-version> \
        --set central.persistence.none=true

Verification

  • Run the following command:

    $ oc -n stackrox describe pvc stackrox-db | grep -i 'Used By'
    Used By: <none> 1
    1
    Wait until you see Used By: <none>. It may take a few minutes.

2.9. Rolling back a Helm upgrade

You can roll back to an earlier version of Central if the upgrade to a new version is unsuccessful.

Procedure

  1. Run the following helm upgrade command:

    $ helm upgrade -n stackrox \
      stackrox-central-services rhacs/central-services \
      --version <previous_rhacs_74_version> \ 1
      --set central.db.enabled=false
    1
    Replace <previous_rhacs_74_version> with the previously installed RHACS version.
  2. Delete the central-db persistent volume claim (PVC):

    $ oc -n stackrox delete pvc central-db 1
    1
    If you use Kubernetes, enter kubectl instead of oc.
Red Hat logoGithubRedditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita ilBlog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

© 2024 Red Hat, Inc.